March 28, 2018

March 2, 2018

Summary

"Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. This vulnerability can be exploited by anonymous users." [1]

This is a critical vulnerability that can be exploited remotely without authentication. Upgrade your Drupal 7 instances immediately.

Impact

Depending on the content of the requests, successful attacks can lead to privilege escalation, arbitrary PHP execution, and more.

Vulnerable

Drupal core 7.x versions prior to 7.32

Hosted Drupal instances at providers such as Pantheon and Acquia

Recommendations

Upgrade to Drupal 7.32 immediately.

If you cannot upgrade to Drupal 7.32 right away, you may apply a temporary patch to address this vulnerability: